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Abstract. In this paper we study the problem of automatically gener- 
ating switching controllers for the class of Linear Hybrid Automata, with 
respect to safety objectives. We identify and solve inaccuracies contained 
in previous characterizations of the problem, providing a sound and com- 
plete symbolic fixpoint procedure, based on polyhedral abstractions of 
the state space. We also prove the termination of each iteration of the 
procedure. Some promising experimental results are presented, based on 
an implementation of the fixpoint procedure on top of the tool PHAVer. 

1 Introduction 

Hybrid systems are an established formalism for modeling physical systems 
which interact with a digital controller. From an abstract point of view, a hybrid 
system is a dynamic system whose state variables are partitioned into discrete 
and continuous ones. Typically, continuous variables represent physical quanti- 
ties like temperature, speed, etc., while discrete ones represent control modes, 
i.e., states of the controller. 

Hybrid automata [8] are the most common syntactic variety of hybrid system: 
a finite set of locations, similar to the states of a finite automaton, represents the 
value of the discrete variables. The current location, together with the current 
value of the (continuous) variables, form the instantaneous description of the 
system. Change of location happens via discrete transitions, and the evolution 
of the variables is governed by differential equations attached to each location. 
In a Linear Hybrid Automaton (LHA), the allowed differential equations are in 
fact differential inclusions of the type x S P, where x is the vector of the first 
derivatives of all variables and P is a convex polyhedron. Notice that differential 
inclusions are non-deterministic, allowing for infinitely many solutions. 

The most studied problem for hybrid systems is reachability: computing the 
set of states that are reachable from the initial states, in any amount of time. The 
reachability problem for LHAs was proved undecidable in [T^, indicating that 
no exact discrete abstraction exists. The complexity standing of the problem was 
further refined to semi-decidable in [14], whose results imply that it is possible 



to exactly compute the set of states that are reachable within a bounded number 
of discrete transitions (bounded-horizon reachability). 

We study LHAs whose discrete transitions are partitioned into controllable 
and uncontrollable ones, and we wish to compute a strategy for the controller 
to satisfy a given goal, regardless of the evolution of the continuous variables 
and of the uncontrollable transitions. Hence, the problem can be viewed as a 
two player game [13j: on one side the controller, who can only issue controllable 
transitions, on the other side the environment, who can choose the trajectory of 
the variables and can take uncontrollable transitions whenever they are enabled. 

As control goal, we consider safety, i.e., the objective of keeping the system 
within a given region of safe states. This problem has been considered several 
times in the literature. Here, we fix some inaccuracies in previous presentations, 
propose a sound and complete procedure for the problerrj^ and we present a 
publicly available implementation of the procedure. In particular, we present a 
novel algorithm for computing the set of states that may reach a given region 
while avoiding another one, a problem that is at the heart of the synthesis 
procedure. 

Contrary to most recent literature on the subject, we focus on exact algo- 
rithms. Although it is established that exact analysis and synthesis of realistic 
hybrid systems is computationally demanding, we believe that the ongoing re- 
search effort on approximate techniques should be based on the solid grounds 
provided by the exact approach. For instance, a tool implementing an exact 
algorithm (like our PHAVer-|-) may serve as a benchmark to evaluate the per- 
formance and the precision of an approximate tool. 



Related work. The idea of automatically synthesizing controllers for dynamic 
systems arose in connection with discrete systems [H] . Then, the same idea was 
applied to real-time systems modeled by timed automata [TT], thus coming one 
step closer to the continuous systems that control theory usually deals with. 
Finally, it was the turn of hybrid systems |14I9| . and in particular of Linear 
Hybrid Automata, the very model that we analyze in this paper. Wong-Toi 
proposed the first symbolic semi-procedure to compute the controllable region 
of a LHA w.r.t. a safety goal [H]. The heart of the procedure lies in the operator 
flow-avoid(U, V), which computes the set of system configurations from which a 
continuous trajectory may reach the set U while avoiding the set V (hence, in this 
paper we call this operator RWA, for Reach While Avoiding). Tomlin et al. [I3] 
and Balluchi et al. [3] analyze much more expressive models, with generality in 
mind rather than automatic synthesis. Their Reach and Unavoid_Pre operators, 
respectively, again correspond to flow-uvoid. 

As explained in Section 3.4 the algorithm provided in |14j for flow-avoid does 
not work for non-convex V, a case which is very likely to occur in practice, even if 
the original safety goal is convex. A slightly different algorithm for flow-avoid is 



^ In other words, an algorithm that may or may not terminate, and that provides the 
correct answer whenever it terminates. 



reported to have been implemented in the tool HoneyTech [6], and we compare 
it with om^s in Section |3^ 

Asarin et al. 1 investigate the synthesis problem for hybrid systems where all 
discrete transitions are controllable and the trajectories satisfy given linear dif- 
ferential equations of the type x = Ax. The expressive power of these constraints 
is incomparable with the one offered by the differential inclusions occurring in 
LHAs. In particular, linear differential equations give rise to deterministic tra- 
jectories, while differential inclusions are non-deterministic. In control theory 
terms, differential inclusions can represent the presence of environmental distur- 
bances. The tool d/dt |2j, by the same authors, is reported to support controller 
synthesis for safety objectives, but the publicly available version in fact does not. 

The rest of the paper is organized as follows. Section [2] introduces and mo- 
tivates the model. In Section |3j we present the semi-procedure which solves the 
synthesis problem. Section [4] reports some experiments performed on our imple- 
mentation of the procedure, while Section [5] draws some conclusions. 

2 Linear Hybrid Automata 

A convex polyhedron is a subset of M" that is the intersection of a finite number of 
strict and non-strict affine half-spaces. A polyhedron is a subset of M" that is the 
union of a finite number of convex polyhedra. For a general (i.e., not necessarily 
convex) polyhedron G C M", we denote by cl{G) its topological closure, and by 
|GJ C 2"* its representation as a finite set of convex polyhedra. 

Given an ordered set X = {xi, . . . , a;„} of variables, a valuation is a function 
: X M. Let Val{X) denote the set of valuations over X. There is an obvious 
bijection between Val{X) and E", allowing us to extend the notion of (convex) 
polyhedron to sets of valuations. We denote by CPoly{X) (resp., Poly{X)) the 
set of convex polyhedra (resp., polyhedra) on X. 

We use X to denote the set {ii, . . . ,i„} of dotted variables, used to rep- 
resent the first derivatives, and X' to denote the set {x'^, . . . ,x'^} of primed 
variables, used to represent the new values of variables after a transition. Arith- 
metic operations on valuations are defined in the straightforward way. An activ- 
ity over AT is a differentiable function / : — Val{X). Let Acts{X) denote 
the set of activities over X. The derivative f of an activity / is defined in 
the standard way and it is an activity over X. A Linear Hybrid Automaton 
H — {Loc, X, Edg^, Edg^, Flow, Inv, Init) consists of the following: 

— A finite set Loc of locations. 

— A finite set X — {xi, . . . , x„} of continuous, real- valued variables. A state is 
a pair (Z, v) of a location I and a valuation v G Val{X). 

— Two sets Edg^ and Edg^ of controllable and uncontrollable transitions, re- 
spectively. They describe instantaneous changes of locations, in the course 
of which variables may change their value. Each transition {I, fj,, I') e Edg^ U 
Edg^ consists of a source location I, a target location I' , and a jump relation 
H e Poly{X U X'), that specifies how the variables may change their value 



during the transition. The projection of /i on X describes the valuations for 
which the transition is enabled; this is often referred to as a guard. 

— A mapping Flow : Loc — ^ CPoly{X) attributes to each location a set of 
valuations over the first derivatives of the variables, which determines how 
variables can change over time. 

— A mapping Inv : Loc — > Poly{X), called the invariant. 

— A mapping Init : Loc — >■ Poly{X), contained in the invariant, defining the 
initial states of the automaton. 

We use the abbreviations S = Locx Val{X) for the set of states and Edg = Edg^U 
Edg^ for the set of all transitions. Moreover, we let LnvS ~ {JieLocW ^ Lnv{l) 
and InitS = UieLoci^i ^ Init{l). Notice that InvS and InitS are sets of states. 
Given a set of states A and a location /, we denote by A [i the projection of A 
on I, i.e. {v e Val{X) \ {l,v) € A}. 

2.1 Semantics 

The behavior of a LHA is based on two types of transitions: discrete transitions 
correspond to the Edg component, and produce an instantaneous change in both 
the location and the variable valuation; timed transitions describe the change of 
the variables over time in accordance with the Flow component. 

Given a state s = we set loc{s) = I and val{s) = v. An activity 

/ £ Acts(^X) is called admissible from s if (i) /(O) — v and (ii) for all (5 > 
it holds f{S) e Flow{l). We denote by Adm{s) the set of activities that are 
admissible from s. Additionally, for / S Adm{s), the span of / in I, denoted 
by span{f, I) is the set of all values 6 > such that {I, f{S')) £ InvS for all 
< 6' < S. Intuitively, S is in the span of / iff / never leaves the invariant 
in the first S time units. If all non-negative reals belong to span{f,l), we write 
00 e span{f, I). 

Runs. Given two states s, s', and a transition e S Edg, there is a discrete step 
s s' with source s and target s' iff (i) s,s' £ InvS, (ii) e — {loc{s), ^,loc{s')), 
and (Hi) {val{s),val{s')[X' / X]) £ /i, where val{s')[X' /X] is the valuation in 
Val{X') obtained from s' by renaming each variable in X with the corresponding 

primed variable in X' . There is a timed step s s' with duration S £ K-° 
and activity / £ Adm{s) iff (i) s £ InvS, (ii) S £ span{f , loc{s)) , and (Hi) 
s' = (loc(s), f(d)). For technical convenience, we admit timed steps of duration 

J A sp ia, .i„.d *p is denoted , ^ and represents .he case when the 

system follows an activity forever. This is only allowed if oo S span{f, loc{s)). 

Finally, a joint step s -^^^—^ §' represents the timed step s — ^ {loc{s) , f (S)) 
followed by the discrete step {loc{s) , f {S)) A s' . 

^ Timed steps of duration zero can be disabled by adding a clock variable t to the 
automaton and requesting that each discrete transition happens when t > and 
resets t to when taken. 



A run is a sequence 



r = So > Sq — > si > Si — !■ S2 . . . s„ . . . (1) 

of alternating timed and discrete transitions, such that either the sequence is 

infinite, or it ends with a timed transition of the type s„ °°''^> . If the run r 
is finite, we define len{r) = n to be the length of the run, otherwise we set 
len{r) = oo. The above run is non-Zeno if for all (5 > there exists i > such 
that X]}=o'^j > ^- denote by States{r) the set of all states visited by r. 
Formally, States (r) is the smallest set containing all states {loc{si), fi{6)) , for all 
< i < len{r) and all < S < Si. Notice that the states from which discrete 
transitions start (states in ([I])) appear in States{r). Moreover, if r contains 
a sequence of one or more zero-time timed transitions, all intervening states 
appear in States{r). 

Zenoness and well-formedness. A well-known problem of real-time and hybrid 
systems is that definitions like the above admit runs that take infinitely many 
discrete transitions in a finite amount of time (i.e., Zeno runs), even if such 
behaviors are physically meaningless. In this paper, we assume that the hybrid 
automaton under consideration generates no such runs. This is easily achieved 
by using an extra variable, representing a clock, to ensure that the delay between 
any two transitions is bounded from below by a constant. We leave it to future 
work to combine our results with more sophisticated approaches to Zenoness 
known in the literature |3|5) . 

Moreover, we assume that the hybrid automaton under consideration is non- 
blocking, i.e., whenever the automaton is about to leave the invariant there must 
be an uncontrollable transition enabled. Formally, for all states s in the invariant, 
if all activities / € Adm{s) eventually leave the invariant, there exists one such 
activity / and a time S G span{f, loc{s)) such that s' = {loc{s) , f (6)) is in the 
invariant and there is an uncontrollable transition e £ Edg^ such that s' A- s" . If 
a hybrid automaton is non-Zeno and non-blocking, we say that it is well-formed. 
In the following, all hybrid automata are assumed to be well-formed. 



Example 1. Consider the LHAs in Figure [T] The fragment in Figure 1(a) is well- 



formed, because the system may choose derivative i = and remain indefinitely 
in location I. The fragment in Figure l(b)| is also well-formed, because the sys- 



tem cannot remain in I forever, but an uncontrollable transition leading outside 



is always enabled. Finally, the fragment in Figure 1(c) is not well-formed, be- 
cause the system cannot remain in I forever, and no uncontrollable transition is 
enabled. 



Strategies. A strategy is a function a : S ^ 2^'^^'^'-^^-'-^ \ 0, where _L denotes 
the null action. Notice that our strategies are non- deterministic and memoryless 
(or positional). A strategy can only choose a transition which is allowed by 
the automaton. Formally, for all s G 5, if e G ct(s) n Edg^, then there exists 




(a) Well-formed. 



X e [0, 1] \ u 
ie [1,2] 

(b) Well-formed. 



■o 




(c) Not well-formed. 



Fig. 1. Three LHA fragments. Locations contain the invariant (first line) and the 
flow constraint (second line). Solid (resp., dashed) edges represent controllable 
(resp., uncontrollable) transitions. Guards are true. 



s' £ S such that s A s'. Moreover, when the strategy chooses the null action, 
it should continue to do so for a positive amount of time, along each activity 
that remains in the invariant. If all activities immediately exit the invariant, the 
above condition is vacuously satisfied. Formally, if _L e o'(s), for all / G Adm{s) 
there exists S > such that for all < S' < S it holds S' ^ span{f, loc{s)) or 
-L G a{{loc{s), f{6'))). This ensures that the null action is enabled in right-open 
regions, so that there is an earliest instant in which a controllable transition 
becomes mandatory. 

Notice that a strategy can always choose the null action. The well-formedness 
condition ensures that the system can always evolve in some way, be it a timed 
step or an uncontrollable transition. In particular, even if we are on the boundary 
of the invariant we allow the controller to choose the null action, because, in our 
interpretation, it is not the responsibility of the controller to ensure that the 
invariant is not violated. 

We say that a run like ([T]) is consistent with a strategy a if for all < i < 
len{r) the following conditions hold: 

— for aU (5 > such that J2]^o < ^ < J2]=o ^jy have _L S a{r{5)); 

— if e Edg^ then G cr(s^). 

We denote by Runs{s, a) the set of runs starting from the state s and consistent 
with the strategy a. The following result ensures that each strategy has at least 
one run that is consistent with it, otherwise the controller may surreptitiously 
satisfy the safety objective by blocking the system. The result can be proved by 
induction by considering that: as long as the strategy chooses the null action, the 
system may continue along one of the activities that remain within the invariant; 
if a state is reached from which all activities immediately leave the invariant, 
the well-formedness assumption ensures that there exists an uncontrollable tran- 
sition that is enabled; finally, if the strategy chooses a discrete transition, that 
transition is enabled. 

Theorem 1. Given a well-formed hybrid automaton, for all strategies a and 
initial states s G InitS , there exists a run that starts from s and is consistent 
with a. 



Safety control problem. Given a hybrid automaton H and a set of states T C 
InvS , the safety control problem asks whether there exists a strategy a such that, 
for ah initial states s € InitS , all runs r G Runs{s, a) it holds States{r) C T. 
We call the above a a winning strategy. 



3 Safety Control 

In this section, we consider a fixed hybrid automaton and we present a sound 
and complete procedure to solve the safety control problem. 



3.1 The Abstract Algorithm 

We start by defining some preliminary operators. For a set of states A and 
X € {u,c}, let Pre^{A) (for may predecessors) be the set of states where some 
discrete transition belonging to Edg^ is enabled, which leads to A, and let A 
be the set complement of A. Analogously, let Pre^{A) = Pre^{A) \ Pre'^(A) 
(the must predecessors) be the set of states where all enabled discrete transitions 
belonging to Edg,^ lead to A, and there is at least one such transition enabled. 

Theorem 2. The answer to the safety control problem for safe set T C InvS is 
positive if and only if 

InitS QvW .Tr\ CPre{W), 
where CPre is the controllable predecessor operator below. 

Controllable predecessor operator. For a set of states A, the operator CPre{A) 
returns the set of states from which the controller can ensure that the system 
remains in A during the next joint transition. This happens if for all activities 
chosen by the environment and all delays 5, one of two situations occurs: 

— either the systems stays in A up to time 5, while all uncontrollable transitions 
enabled up to time 5 (included) also lead to A, or 

— there exists a time 5' < 5, such that the system stays in A up to time 5' , all 
uncontrollable transitions enabled up to time 5' (included) also lead to A, 
and the controller can issue a transition at time 5' leading to A. 

To improve readability, for a set of states A, an activity /, and a time delay 
(5 > (including infinity) , we denote by While [A, /, 5) the set of states from 
where following the activity / for 5 time units keeps the system in A all the time, 
and any uncontrollable transition taken meanwhile also leads into A. Formally, 

While{AJ,5) = {s e S* VO < 5' < 5 : {loc{s), f{S')) e A \ Pre 'J' (A)}. 
We can now formally define the CPre operator and prove Theorem [2] 
CPre{A) = |s e 5* V/ G Adm{s),S e span{f, loc{s)) : s e While{A, /, S) 

or 30<S' <S:se While{A, f,S') and {loc{s), f{6')) e PreJ?^^)}. 



Proof, [if] We shall first build a winning strategy in two steps. Let W* = vW.TD 
CPre{W) and let cr be a strategy defined as follows, for all states s: 

— _L e (t(s) and 

- if s A s', s, s' e W* and e £ Edg^, then e G (t(s). 

While a is clearly a strategy, it is not necessarily a winning strategy, as it may 
admit runs which delay controllable actions either beyond the safety set W* 
or beyond their availability. We can, however, recover a winning strategy by 
restricting a in appropriate ways. For all states s G 5 and activities / g Adm(s), 
let 

Df,s^{S>0\ 

yO<d' <S: {loc{s)J{S')) eW* and a{{loc{s),f{S')))nEdg^^(l)}. 

denote the set of positive time units for which the system can follow activity 
/, starting from s, always remaining in W* with some controllable transition 
enabled and available to the controller. 

Starting from a, we can define a new strategy cr' which coincides with a on all 
the states, except for the states s G W* with Edg^ n <j(s) 7^ 0, where it satisfies 
(t'(s) C (t(s) and the following two conditions: 

a) If there is / G Adm{s) such that Df^s ~ 0, then _L ^ cr'(s); 

b) for all / G Adin{s), if Df^s 7^ 0, then there exists a. S G Df s with _L ^ 
a'{{loc{s),f{S))) and V0<> < ^, _L G a' {{loc{.s), f{6"))). 

Intuitively, the new strategy tr' ensures that following any activity from a state 
s G W* in which some controllable action is enabled, a controllable action will 
always be taken before none of them is available and before leaving W* . 

To prove that a' is winning, we must show that for every s G InitS and every 
r G Runs{a' , s), States{r) C T. Let 

r = So > .Sq > Si > Si > S2 . . . S„ . . . 

be a run consistent with cr'. The following properties can be proved: 

1. if Si s'^ occurs in r, with Si > and Si G W* , then for all < ^' < 6i, 
it holds {loc{s,)J,{S')) G W*; 

2. if Si °°''^'> occurs in r and Sj G W* , then for all S' > 0, it holds {loc{si), fi{S')) G 

3. if Si A s - occurs in r and G W* , then G W* . 

We shall prove property Q, as ([2]) can be proved similarly. Since Si > 0, by 
the consistency of r with cr', we have _L G a'(si). Assume, by contradiction, that 
{loc{s,),f,{6')) ^ W* for some < 5' < S,. Since s, e W* = CPre{W*), then 

Si G While{W* , fi,S) for some S G M-° U {00}, and either S — 00 or Si s 
and s G Fre™(VF*). 



If (5 > (5', we have an immediate contradiction, since it would imply Si € 
While{W*,fi,S') and, therefore, {loc{si)J,{6')) G W*. 

Assume, then, S < S' . Then {loc{si)J,{S)) e Pre^(W*), i.e., (Zoc(s,), 
s' for some e G -Erf^c G W^*- Therefore, both e G a'{{loc{si), fi{S))) and, by 

the consistency of r with cr', ± e a' {{loc{si), fi{S))). Since _L e a'{{loc{si), fi{S))), 
by definition of cr' the premise of property a) cannot hold. Therefore, by prop- 
erty b), there must he a S < S* < S' with _L ^ a'{{loc{si), fi{S*))). On the other 
hand, the consistency of r requires that _L G a' {{loc{si), fi{S))) for all < (5 < 5^, 
which is a contradiction. Therefore, for all < S' < Si, {loc{si) , fi{S')) € W* . 

Finally, to prove that s'^ G W* we can proceed again by contradiction, 
assuming s- ^ W* . Let < d' < St, then {loc{si), fi{S')) € W* . Therefore, 
{loc{si),M6')) G CPre(VF*) and there exists S' < S* < Si with {locisi)JiiS')) G 
W^Me(T^*,/i,,5*) and {loc{si)J,{S*)) G Pre^(M^*). Hence, there is a control- 
lable transition e G Edg^ enabled in {loc{si), fi{S*)) and leading to W* . Asacon- 
sequence, {e, _L} C (T((Zoc(sj), (5*))) and, by condition 6),-L ^ (T'{{loc{si), fi(S))), 
for some S* < S < Si, which contradicts consistency of r with a' , hence s'^ G W* . 

Let us consider property (|3|. We have two cases. If e G Edg^, then the 
consistency of r ensures that e G ^'(si) which, by definition of cr', requires that 
Si+i G ly*. Assume then that e G iJciffu. Then _L G cr'(si). Since Si G VF* = 
CPre(W*), it must hold Si G WhilejW* , f,0), for every / G Adm{si). This, 
in turn, ensures that Si G VF* \ Pre^^{W*), therefore, all the uncontrollable 
transitions enabled in Si lead to W* . Hence the thesis. 

To complete the proof, notice that W* C T and sq G Inits C W* . An easy 
induction on the length of r, using properties ([I]), ^ and (|3|, gives the result. 

[only if] Let s ^ W* , we prove that for all strategies there is a run that 
starts in s, is consistent with the strategy and leaves T. Let 

-Wo=T, 

— Wa = T n CPre{Wa-i), for a successor ordinal a, and 

— Wa — C\a'<a ^O'' ^ limit Ordinal a. 

We proceed by induction on the smallest ordinal A such that s ^ W\. If 
A = 0, it holds s and the thesis is immediate. 

We will show that if A > then A cannot be a limit ordinal. Assume by 
contradiction that A is a limit ordinal. Since A is the smallest ordinal such that 
s ^ W\, we have s G Wa, for all a < A: this means that s G nQ<A But, 
since A is a limit ordinal, Wx = nQ<A and we have that s G W\, obtaining 
a contradiction. 

Otherwise, if A > is a successor ordinal, we have s G Wa-i \ Wx and 
s ^ CPre{Wx-i)- According to the definition of CPre, there exists an activity 
/ G Adm(s) and S G span{s,f ) such that s ^ While{Wx-i, f,S) and for all 
0<S' <S either s ^ W'Me(VFA-i, /, <5') or (Zoc(s), /((5')) ^ Pre^{Wx-i). 

Let (5* be the infimum of those S' such that s ^ While{Wx~i, /, S'), i.e.. 



r = inf{(5 I s ^ W'Me(W^A-i,/,'5)}. 



(2) 



Clearly < 6* < S and, for all < ^ < {loc{s), f{S)) ^ Pre'^\Wx-i). Hence, 
any controllable transition enabled in {loc{s), f{S)), for any such 6, leads outside 
W\-i. Therefore, any strategy choosing a controllable transition in some of the 
states {loc{s) , f (S)) has a consistent run leading outside Wx-i- By inductive 
hypothesis, we obtain the thesis. 

If, on the other hand, the strategy allows the controller to stay inactive in 
all those states, there is a consistent run that reaches 6*. Then we have two 
cases. If S* is in fact the minimum of the above set, according to the definition 
of While, there exists 6i < S* such that {loc{s), f{Si)) G U Pre"^ (W^) . 

Therefore, since the controller may not act before 6* along this strategy, there is 
a consistent run that reaches {loc{s), f{6i)), which either is in Wa-i or reaches 
it after an uncontrollable transition. In both cases, the thesis follows from the 
inductive hypothesis. 

Finally, we have the case in which 6* is the infimum but not the minimum 
of the above set. In this case < 6* < S and {loc{s) , f (5)) ^ Pre^{Wx^i), 
for all < 5 < S* . Consider the choice of a in state {loc{s), f{6*)) . If _L ^ 
a{{loc{s), f{S*))), the controller issues a discrete move which leads into Wa-i- 
If, instead, _L € a{{loc{s), f{5*))), since 6* < 6 & span{s,f), by the definition 
of strategy a will keep choosing _L for a non-zero amount of time 7. By ([2]), 
there exists S* < (5 < (5* + 7 such that s ^ While{W\-i, f, 6). As a consequence, 
there is a consistent run that reaches a state which either is in Wx-i or reaches it 
after an uncontrollable transition. Once again, the thesis is obtained by inductive 
hypothesis. I 

3.2 Computing the Predecessor Operator on LHAs 

In this section, we show how to compute the value of the predecessor operator 
on a given set of states A, assuming that the hybrid automaton is a LHA and 
that we can compute the following operations on arbitrary polyhedra G and G': 
the Boolean operations GUG, GUG, and G; the topological closure d{G) of G; 
finally, for a given location I G Loc, the pre- flow of G in Z: 

G^i= {u G Val{X) I 3(5 > 0, c G Flow{l) -.u + S-c^G}. 

Notice that, for two convex polyhedra P and P' , if P C P' then P y^iQ P' v^i 
(monotonicity) , and {P\/i)^i = P^i (idempotencc). 

In the following, we proceed from the basic components of CPre to the full 
operator. Given a set of states A and a location I, we denote by A [i the projection 
of A on /, i.e. {v G Val{X) \ {l,v) G A}. For all A C InvS and x G {c,u}, it 
holds: 

Pre'^'iA) ^ InvS n |J ^^"'(^^0, 

{l,fj.,l')eEdg^ 

where fj,~^{Z) is the pre-image of Z w.r.t. p.. We also introduce the auxiliary 
operator RWA™ (may reach while avoiding). Given a location I and two sets of 



variable valuations U and RWA™{U,V) contains the set of valuations from 
which the continuous evolution of the system may reach U while avoiding 
Notice that on a dense time domain this is not equivalent to reaching U while 
avoiding V: If an activity avoids in a right-closed interval, and then enters 
U C^V , the first property holds, while the latter does not. Formally, we have: 



An algorithm for effectively computing RWA^ is presented in the next section, 
while the following lemma states the relationship between CPre and RWA™. 
Intuitively, consider the set Bi of valuations u such that from state the 
environment can take a discrete transition leading outside A, and the set C/ of 
valuations u such that from the controller can take a discrete transition 

into A. We use the RWA^ operator to compute the set of valuations from which 
there exists an activity that either leaves A or enters Bi, while staying in the 
invariant and avoiding C;. These valuations do not belong to CPre{A), as the 
environment can violate the safety goal within (at most) one discrete transition. 
We say that a set of states A C S* is polyhedral if for all / e Loc, the projection 
^ I,/ is a polyhedron. 

Lemma 1. For all polyhedral sets of states A C InvS , we have 



where Bi ^ Pre^^A) U and Ci = Pre^{A) [i. 

Proof. In the following, let Ii = InvS [i . 

[C] Let s = {I, u) G CPre{A) and let / e Adm{s). By definition, € span{f, I) 
and hence s G While{A, /, 0). In particular, this implies that s G A and u G A[i. 

Assume by contradiction that s does not belong to the r.h.s. of ([s]). Since 
w G A[i, it must be 



Then, by definition there exists /* G Adm{s) and 5* > such that: (i) f*{S*) G 
/; n (All U Bi), and (li) for all < S < d* it holds /* (5) G n (Q U ZJI U Bi) . 
In particular, this implies that S* belongs to span{f*,l). On the other hand, 
if we apply the definition of CPre{A) to the activity /*, we obtain that for 
all 6 G span{f*,l) either s G While{A, f* ,S) or there exists S' < S such that 
s G WMe{A, f\5') and {I, f*[5')) G Pre'^{A). This implies t_h_at either f*{5*) G 
A [i nBi or there exists S' < S* such that /*((5') e A U CiBi Ci Ci, which is a 
contradiction. 

^ In Atl notation, we have RWAf^(U, V) = {{env))(VuU)U U, where env is the player 
representing the environment. 




CPreiA) - U {/} X U \RWAf\lnvS U n{A U U Bi),Ci U InvS Lz)) , (3) 



l^Loc 



ueRWAY'iliniA ULiBi),CiUli). 



[D] Let / G Loc and w e A t; XRWAY'ili n (A t; U Bi), d U /;). By comple- 
menting the definition of RWA"^, wc obtain tliat for all activities / that start 
from s = {l,u) and for all times 6 > 0, either f{5) € /; U (A li fl-B;) or there 
exists 5' < 5 such that 

f{6') g(Jiu{a u nWi)) n{CiuTi)=Tiu{A u nWi n d) = Ei. 

First, assume that for all (5 > it holds f{6) £ Ii Li {A [i (iBi). In this case, 
for all S e span{f,l), the point f{S) belongs to A [i (iBi. In other words, s G 
While{A, /, S) and hence s G CPre{A). 

Otherwise, there exists 6' such that f{5') G Ei. Let 5* be the infimum of the 
5' with the above property, i.e., 5* = inf{5' | f{5') G Ei]. Notice that it holds 
f{5) €Ti\j{A[i nBi) for all S<5*, which implies s G While{A, f,d*). If there 
exists S < S* such that f{S) G again wc conclude that for all 6 G span{f,l) it 
holds /(i5) E A[[ CiBi and hence ,s G CPre{A). In the rest of the proof, we can 
assume that f{6) G Ii for all 6 < 6* , and therefore S* G span{f, I). 

If S* is in fact the minimum of the above set, i.e., f(S*) G Ei, then according 
to the current assumptions wc have in particular f{S*) G C; = Pre"^{A) [i. 
Accordingly, s G C'Pre{A). Finally, wc are left with the case in which f{S*) Ei. 
By definition, in any neighbourhood of d* there is a time S such that f{5) G Ei. 
Due to the fact that Ei is a polyhedron and that / is differentiable, there exists 
6' > 6* such that f{S) G Ei for all 6* < 6 < 5'. Therefore, s G While{A, f,S'), 
and {I, f{6')) G Q = Pre^{A). Again, we obtain that s G CPre{A). I 

3.3 Computing the RWA™ operator on LHAs 

In this section, we consider a fixed location I. Given two polyhedra G and G', 
we define their boundary to be 

bndry{G, G') = {d{G) n G') U (G n cl{G')). 

We can compute RWA"^ by the following fixpoint characterization. 
Theorem 3. For all locations I and sets of valuations U, V, and W, let 

t{U,V,W) = UU y y (^Pn{bndry{P,P')nPVi)^i)- (4) 
pem P'eiw} 

We have RWAf'iU, V) = . t{U, V, W). 

Roughly speaking, t{U, V, W) represents the set of points which either belong 
to U or do not belong to V and can reach W along a straight line which does 
not cross V. We can interpret the fixpoint expression iJ.W . t(U, V, W) as an 
incremental refinement of an under-approximation to the desired result. The 
process starts with the initial approximation Wq = U. One can easily verify 
that U C RWA^{U,V). Additionally, notice that RWAf{U,V) CUUV. The 
equation refines the under-approximation by identifying its entry regions, i.e., 



the boundaries between the area which may belong to the result (i.e., V), and 
the area which already belongs to it (i.e., W). That is, let P e |F] and P' £ {W}, 
let b — bndry{P, P'), we call R = bDP' an entry region from P to P' , and also 
an entry region of W. The set R contains the points of b that may reach P' by 
following the continuous evolution of the system. Hence, the system may move 
from P to P' through R. Moreover, the set R' — P D R-^i contains the points 
of P that can move to P' through R. Any point in V that may reach an entry 
region (without reaching V first) must be added to the under-approximation, 
since it belongs to RWAf'{U,V). 

Proof of Theorem^ First, we show that the r operator is monotonic w.r.t. its 
third argument, so that the least fixpoint jiW . t{U, V, W) is well defined. 

Lemma 2. For all polyhedra U, V, and W C W' , it holds t{U, V, W) C r(C/, V, W). 

Proof. Assume for simplicity that C iW'j. Then, it is sufficient to observe 
that, for all P £ fV], the expression Up'eiwi ^ {bndry{P, P') n P' ^i) v/;) is 
monotonic w.r.t. W , since it is composed by monotonic operators. I 

The following lemma allows us to switch from arbitrary activities to piecewise 
straight lines, within Lemma |4] 

Lemma 3 f |14p . For all locations I, and valuations u and v, if there is an 
activity f e Adm{{l,u)) and a time S > such that f{6) — v avoiding V, 
then there is a finite sequence of straightline activities leading from u to v, each 
avoiding V . 

Theorem [3] is an immediate consequence of the following two lemmas. 

Lemma 4. For all locations I and polyhedra U and V, it holds RWAf^{U, V) C 
fxW .t{U,V,W). 

Proof Let u e RWAY'{U,V) and W* ^ fiW . t{U,V,W). By definition, u G 

V U U. If u belongs to U, then it belongs to W* by definition. If u belongs to 

V \ U, there must be an activity that starts in u and reaches a point u' £ U 
without visiting V \U. By Lemma [3j there is a finite sequence of straightline 
segments leading from u to u' and avoiding V \U. Let mq, ui, . . . , be the 
corresponding sequence of intermediate corner points, where uq — u and Uk = u' . 
We proceed by induction on A:. If fc = 0, it holds u — u' G U, and the thesis is 
trivially true. If fc > 0, we apply the inductive hypothesis to ui, and we obtain 
that ui e W*. Consider the straight path from uq & V\U to Ui G W* . This 
path crosses into W* in a given point v. Formally, v is the first point along the 
path which belongs to cl{W*). Hence, there is at least one convex polyhedron 
P' S {W*} such that v G cl{P'). If there is more than one such polyhedron, pick 
the one that contains at least one point of the straight path from v to ui. In this 
way, we have v £ P' -/"i. 

Let n be the number of convex polyhedra in |y U t7| that are crossed by 
the straight path from ug to v. We start a new induction on n. If n = 1, the 



whole line segment from uq to v is contained in a given P e |y U C/]. Hence, 
V G bndry{P, P'), where P' is a suitable element of Summarizing, we 

have V € bndry{P,P') D P' -/i and uq e {v} -/i- We conclude that uq £W*. If 
n > 1, we split the straight path from uq to v into n segments, defined by the 
intermediate points wi, . . . , and we apply the inductive hypothesis to wi, 

obtaining that vi € W* . Finally, we use an argument analogous to the one for 
n = 1 to conclude that uo G W* . I 

Lemma 5. For all locations I and polyhedra U and V, it holds RWA^l^(U,V) 3 
yW .t{U,V,W). 

Proof. It sufiices to show that RWAf{U, V) is a fixpoint of r, i.e., RWA'f'iU, V) = 
t{U,V,RWA'1'{U,V)). Let u e t(U,V, RWA'l'iU.V)), we shall prove that u G 
i?W^™(C/, V). If u G ?7, the thesis is obvious. Otherwise, there exist P G 1^1 and 
P' G IRWAY(U, V))l such that u G P n {bndry{P, P') n PVO k/;- Hence, there 
is a straightline activity / G Adm{{l, u)) that reaches a point w G bndry{P, P') n 
-P' i//, while staying in P C y. If w G P', we are done, as we have found 
an activity from u to RWA'^^{U, V) which avoids V\U . Otherwise, v belongs to 
cl{P')nP' and, therefore, can reach some point x E P' through an arbitrarily 
small flow step along some activity. Since P' C RWA^{U, V)), any other possible 
point z between v and x along the activity belongs to P' and, therefore, cannot 
belong to V\U. Hence, v G RWAf^{U, V) and, consequently, the so does u. 

Finally, let u G RWAf'iU, V), we show that u G t{U, V, i?VK/l"(C/, V)). First, 
notice that ueUUV.HueU, the thesis is obvious. Otherwise, there exist 
P G |F] and P' G {RWAf{U, V)\ such that u£ POP'. Therefore, we also have 
u G bndry{P,P') and u G PVi- By Q, we obtain the thesis. I 

Termination. The following theorem states the termination of the fixpoint pro- 
cedure defined in Theorem [S] 

Theorem 4. The fixpoint procedure for RWA"^ defined in Theorem^terminates 
in a finite number of steps. 

In order to prove Theorem [4j we shall need some additional definitions and 
notation. Given two polyhedra E and G and two convex polyhedra P G {Ej and 

P R 

P' G [G], if the entry region R from P to P' is not empty, we write G — '—^e G' , 
where |G'] — |G] U{PnPi/;}, to denote a refinement step. The following lemma 
can easily be proved exploiting idempotence and monotonicity of y/i. 

P R 

Lemma 6. Assume G — '—^e G' . For all entry regions R' of G' that are not 
entry regions of G it holds R' C R^/i. 

Proof By definition of entry region, R' = bndry{P', P n R^/i) n (P n Ri/i)i/i, 
with P' e E and P n P v/;G G. Hence, we can write P' C {P D Ry/i) ^/i. 
Moreover, from {P O R -^i) C P ^/j and by monotonicity and idempotence 
properties of y/i it follows that {P O R-^i) y^iQ R^i- Hence the thesis R' C 
(PnP/O^iC R^i. I 



Intuitively, the fixpoint procedure to compute RWA"^ applies, at each iteration 

P fi 

fc > 1, all the refinement steps of the form G — G', with E = V and G = 

T^-^{U, V, U) (where t°{U, V,U) ^ U and r*+i([/, V, U) = t{U, V, t'{U, V, U))) 
for every entry region R of the current under-approximation G, following a 
breadth-first policy. The following lemma make the relationship between (se- 
quences of) refinement steps and the t(-) operator precise. 

Lemma 7. // tt = Gg --^-^—^b Gi --^^—^e ■■■ ^""^"> e G^ is a sequence 
of refinement steps with R entry region of Gi, then R is an entry region of 
T^iGo,E,Go). 

Proof. Let n = Gq ^^'^^> e Gi ^ . . . ^'"^''^ ^ ^j^g shortest prefix 

of TT such that R is entry region of Gfc. Clearly, k < m. We now proceed by 
induction on fc. If fc = 0, then R is entry region of Gq = r°(Go,-E, Gq) and, by 
monotonicity of the operator r, the thesis holds. 

Assume fc > 0. Since R is entry region of Gk but not in Gk-i and [Gfc] = 
lGk-ilU{PknRk^i}, it must be i? = bndry{P, {Pkf^RkA))^i.Pk n RkA)^h 
with P S \E\ and Rk entry region in Gk-i- By induction hypothesis, Rk is 
entry region of t^^^{Gq,E,Gq). Since Pk G \E\, by definition of r we have 
(PknRkA) e t(Go,^,t'=-1(Go,S,Go)) = t''-(Go,E,Go). Therefore, R is an 
entry region in t''{G(), E, Gq). Again, by monotonicity of r, the thesis follows. I 

We shall now show that the number of different entry regions employed by the 
fixpoint procedure for RWA"^ is finite and that the number of its iterations is 
bounded, thus establishing termination of the procedure itself. 
We need first some properties of sequences of refinement steps. Given a sequence 

TT = Go ^^'^'^^ E Gi ^^'^^) e ■■■ ^'"^''> E Gk, last{n) denotes Gfc. Moreover, 
given a convex polyhedron R, let prune{n, R) be the sequence obtained from tt 
by removing all edges which depend on R, i.e. such that Ri C R^/i. Formally, 

P' .R' P' R' P' R' 

prune{n, R) ~ Gq ^> e G'l ^' ^> e ■■■ "'> g G'^ is the largest subse- 
quence of TT such that R'^ ^ R, for all 1 < z < m. Clearly, we have m < k. The 
following lemma states that prune{n, R) preserves all the entry regions of lastijr) 
that do not depend on R. 

Lemma 8. Let tt = Gq e Gi --^-~^e ■ ■ ■ -~^^~^e Gk be a sequence of 

refinement steps and let R be an entry region of Gk , such that R% Ri^/i. Then, 
there exists a subsequence vr' of prune{'K,Ri) such that R is an entry region of 
last {it'). 

Proof. We proceed by induction on fc. If fc = 1, we have that R is an entry region 
of Gi, with -R C By Lemma [6] i? must be entry region of Gq. 

If fc > 1, let j be the smallest index such that R is an entry region in Gj. If 
j = 0, we are done. Otherwise, by Lemma [6] we have i? C Rj^i. Consequently, 
Rj % R\ (otherwise, by monotonicity it would hold R C Riy/i). Apply the 

inductive hypothesis to the prefix Go ^^'^^> e Gi ^^'^^> e ■ ■ ■ — ^— Gj-i 



and to Rj. We obtain that there exists a sequence tt' that starts from Gq, does 
not use Ri, and ends in a polyhedron G' such that Rj is an entry region of G'. 

p. , 

Hence, for the sequence tt' ^' ^) e G" we have that R is an entry region of G" 
and we obtain the thesis. I 

We are now ready to state the main property relating entry regions and 
sequences of refinement steps. 

Lemma 9. Let n — Go —^~^—^e Gi ^^'^^) ^ ... p^M^^ ^ ^ sequence 

of refinement steps and let R he an entry region of Gn- Then, there exists a 

P' .Ti' P' R! P' .R' 

subsequence tt' = Gq ^' G'-^ ^' . . . " > g G'^, such that: R is an 
entry region of G'„ and ^ Pj for all 1 < i < j < m. 

Proof. Let W = Go ^'-'^'-], ^ Gi — ^—-^b . . . ^'"^''^ ^ Gk be the shortest prefix of 
TT such that R is an entry region of Gk- We proceed by induction on fc. If fc = 
or fc = 1, the thesis immediately follows. If fc > 1, then Rk is an entry region 
of Gfe_i and R is an entry region in G^. Since k is the first index for which R 
is an entry region in Gk , we also have R ^ Pk Rk i/i • We can now apply the 
inductive hypothesis on Go '^'^ > e Gi —^~^e ■ ■ ■ ^ e Gk-i to obtain 

the subsequence tt' = Gq ^-^e G[ ^^^^e ■ ■ ■ ^^^^e G',„ where P^ ^ Pj, 
for all 1 < i < J < ft., and Rk is still an entry region of GJ^. 

Hence, tt* = tt' '') e GJ^^^ ^ sequence of refinement steps, and R C 
Pk n Rk v^i implies that R is an entry region of G'^^j^. Assume Pj = Pk for 

P' ,R/ P' ^.R' ^ 

some 1 < j < h. Considering the subsequence tt — G'j_i ^' ^) e G'j — — ^ — >e 
. . . ^'"^''> E G'l^, two cases may occur: 

1. if Rk % R'j k/;, then substituting prune{TT, R'^) for tt in tt* we obtain, by 
Lemma [Sj the desired sequence of refinement steps; 

2. if Rk ^ R'j^u then the subsequence Go ^e G'j of tt' is the desired sequence. 
Indeed, by idempotence of j/;, Rk C R'j implies Rk R'j Since 
Pj = Pj., we also have that Pk Rk -Pj n R'^ ^/i. Therefore, R C 
Pfc n Pfcv//C pj n R'j^i- Hence, R is an entry region of G'j. I 

An immediate consequence of the previous lemma is that for any entry region R 
there is a sequence tt of refinement steps discovering R (i.e. with R entry region 
of last{TT)) whose length is bounded by ||P]|. 

We can now establish termination of the fixpont procedure to compute RWA"^. 



Proof of Theorem\^ Notice that |F] and |J7] are finite sets of convex polyhedra, 
therefore so is the number of initial entry regions of \U\ . The fixpoint procedure 
of Theorem[3]applies the refinement steps in a breadth-first manner starting from 
the initial entry regions. Therefore, in every iteration each entry region discovered 
so far is employed in a refinement step. As a consequence of Lemma [9j taking 
E — V and Go = U , for every entry region there is a sequence of refinement 



steps discovering it, whose length is bounded by Therefore, by Lemma [jj 

after at most ||V^]| iterations of the procedure all the entry regions have been 
discovered, and the fixpoint is reached at the next iteration. I 



3.4 Previous Algorithms 

In the literature, the standard reference for safety control of linear hybrid systems 
is [H]. The model and the abstract algorithm are essentially similar to ours, 
except that, differently from our semantics, the states from which a discrete 
transition is taken are subject to the safety constraint. As to the computation of 
CPre, they introduce an operator flow-avoid, which corresponds to our RWA"^ 
operator. They propose to compute RWA'^{U,V) using the following fixpoint 
formula: 

U fl (^fiw.u'u U (d(P)nFn(w^nP)/z)) (5) 

U'eimveivj Pe[W] 
A simple example, however, shows that ([s]) is different from (in particular, larger 



than) RWAf^iU, V) when V is non-convex. Consider the example in Figure 2(a) 
where U is the gray box on top and V is the union of the two white boxes. 
Formula ([s]) treats the two convex parts of V separately. As a consequence, the 
result is the area covered by stripes. However, the correct results should not 
include the area within the thick border (in red-colored stripes), because any 
point in that region cannot prevent hitting one of the two convex parts of V. 



U 




(a) Wong-Toi (b) Honey Tech 

Fig. 2. Mistakes in previous fixpoint characterizations. 



In [S], Deshpande et al. report about an implementation of Wong-Toi's algo- 
rithm in the tool HoneyTech, obtained as an extension of Hy Tech. The fixpoint 



formula that is meant to capture RWA'j'^{U, V) is the following: 



fiW.uu \J (pn (d(VF)n c/(p)n FnvK (6) 



Compared to ([5|, formula ^ correctly treats the case of non-convex V. However, 
it suffers from another issue, pertaining the distinction between topologically 



open and closed polyhedra. Consider the example in Figure 2(b) where U is 
the gray box, V is the white box, and dashed lines represent topologically open 
sides of polyhedra. The result of applying formula ^ is the area covered by 
near-vertical stripes. This area includes the thick solid line that starts from a 
corner of V. Indeed, if W is the union of U and the striped region and P G {VJ, 
the thick line is exactly cl{W) D cl{P) D V D W However, this line does 
not belong to RWAf^{U, V), because all its points cannot avoid hitting V before 
eventually reaching U. 



4 Experiments with PHAVer+ 

In this section we show experiments about safety control. We implemented the 
procedure showed in the previous section on the top of the open-source tool 
PHAVer [7]. The experiments were performed on an Intel Xeon (2.80GHz) PC. 

Truck Navigation Control. The following example, the Truck Navigation Control 
(TNC), is derived from the work [6 . Consider an autonomous toy truck, which 
is responsible for avoiding some 2 by 1 rectangular pits. The truck can take 90- 
degrees left or right turns: the possible directions are North-East (NE), North- 
West (NW), South-East (SE) and South- West (SW). One time unit must pass 
between two changes of direction. The control goal consists in avoiding the pits. 



Figure 4(a) shows the hybrid automaton that models the system: there is one 
location for each direction, where the derivative of the position variables {x and 
y) axe set according to the corresponding direction. The variable t represents a 
clock (t = 1) that enforces a one-time-unit wait between turns. 

Figure [3] shows the three iterations needed to compute the fixpoint in The- 
orem [2j in the case of two pits. The safe set is the white area, while the gray 
region contains the points wherefrom it is not possible to avoid the pits. 

The input safe region T is the area outside the gray boxes 1 and 2 in Fig- 
3(a) The first iteration (Figure [3(b)[ ) computes CPre{T) and extends the 



ure 



unsafe set to those points (areas 3, 4, and 5) that will inevitably flow into the 
pits, before the system reaches t = \ and the truck can turn. The second it- 
eration (Figure 3(c)[ ) computes CPre{CPre{T)) and extends the unsafe set by 



adding the area 6: those points may turn before reaching the pits, but after the 
turn they end up in CPre{T) anyway (for instance, if turning left, they end up 
in area 4 of Figure [3 (d)[ ). The third iteration reaches the fixpoint. 

We tested our implementation on progressively larger versions of the truck 
model, by increasing the number of pits. We also considered a version of TNC 



(a) The pits to avoid (i.e., T). 



(b) CPre(T), SW direction. 




(c) CPre{CPre{T)), SW direction. 



(d) CPre{T), SE direction. 



Fig. 3. Evolution of the fixpoint in the case of two pits. All figures are cross- 
sections for t = 0. Dashed arrows represent flow direction. 



with non-deterministic continuous flow, allowing some uncertainty on the exact 
direction taken by the vehicle. Using an exponential scale. Figure [4(b) | compares 
the performance of our tool (solid line for deterministic model, dashed line for 
non-deterministic) to the performance reported in [Sj (dotted line). We were 
not able to replicate the experiments in [6], since HoneyTech is not publicly 
available. 

Because of the different hardware used, only a qualitative comparison can 
be made: going from 1 to 6 pits (as the case study in [6]), the run time of 
HoneyTech shows an exponential behavior, while our tool exhibits an ap- 
proximately linear growth, as shown in Figure |4(b)[ where the performance of 
PHAVer-|- is plotted up to 9 pits. 



Water Tank Control. Consider a system where two tanks — A and B — are 
linked by a one-directional valve mid (from A to B). There are two additional 
valves: the valve in to fill A and the valve out to drain B. The two tanks are 
open-air: the level of the water inside also depends on the potential rain and 



HoneyTech {det case) 

PHAVer+ (det case) 

PHAVer+ (ndet case) 
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(a) Hybrid Automaton for TNC. (b) Computation time as a function 

of the number of pits. 



Fig. 4. Hybrid Automaton and performance for TNC. 



evaporation. It is possible to change the state of one valve only after one second 
since the last valve operation. Figure [5(a)| is a schematic view of the system. 

The corresponding hybrid automaton has eight locations, one for each com- 
bination of the state (open/closed) of the three valves, and three variables: x and 
y for the water level in the tanks, and t as the clock that enforces a one-time- unit 
wait between consecutive discrete transitions. Since the tanks are in the same 
geographic location, rain and evaporation are assumed to have the same rate in 
both tanks, thus leading to a proper LHA, that is not rectangular [S]. 











\ 












\ 

Evaporation 










Out 



(a) Schema of the system. 
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(b) Result for all valves (c) Result with only mid 
closed and t — 0. valve closed and t = 0. 



Fig. 5. Water Tank Control example. 



We set the in and mid flow rate to 1, the out flow rate to 3, the maximum 
evaporation rate to 0.5 and maximum rain rate to 1, and solve the synthesis 
problem for the safety specification requiring the water levels to be between 
and 8. Figure [5(b)| (resp. , 5(c) ) shows the fixpoint result in the case of all valves 



closed (resp., in and out open and mid closed). Due to the necessity of one 
second wait before taking a discrete action, in the case of Figure [5 (b)[ x and y 
must be between 0.5 and 7: otherwise, for example with a level greater than 7 
and maximum rain, after one second the level will exceed the limit. In a similar 
way, with a level less than 0.5 and maximum evaporation, after one second the 
level would go below the lower bound. The result is computed after 5 iterations 
in 11 seconds. 

5 Conclusions 

We revisited the problem of automatically synthesizing a switching controller for 
an LHA w.r.t. safety objectives. The synthesis procedure is based on the RWA™ 
operator, for which we presented a novel fixpoint characterization and formally 
proved its termination. 

To the best of our knowledge, this represents the first sound and complete 
procedure for the task in the literature. We extended the tool PHAVer with 
our synthesis procedure and performed a series of promising experiments. An 
account of the challenges involved in the implementation is presented in H]. 
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